Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How else can websites get my information?

In a series of three previous questions, What can a website I visit tell about me? and What are browser cookies and how are they used? and What are tracking cookies and should they concern me? I discussed some of the information that websites get automatically, or through legitimate means by virtue of using cookies, and then how cookies can be used “behind the scenes” by networks of websites to track your visits to sites in the network.

In this article, I’m going to cover three loose ends that while unrelated to each other, are other ways that websites can get information you probably didn’t realize you were giving them.

Become a Patron of Ask Leo! and go ad-free!

Malware

The biggest risk by far for getting information from your computer into the hands of others is malware.

Forget all the IP address information, cookie,s and cookie tracking I’ve discussed in the previous articles. While perhaps annoying, they’re typically legitimate and have access to only a limited subset of your information.

Malware can get it all.

I know it seems a little out of place to be discussing malware, and particularly spyware when discussing what information you might be giving to websites, but I need to make clear that spyware is by far the bigger risk. To focus on the perceived dangers of surfing otherwise legitimate sites while ignoring the very real risks of spyware and viruses is a huge mistake and can result in much, much bigger issues of information theft.

With that important reminder out of the way, we return to the “mostly legitimate”.

Toolbars

“… many toolbars collect information about your surfing habits.”

Toolbars frustrate me no end. It seems like every time I download some new utility or update, the setup also wants to install an additional toolbar in my browser. I don’t want them. Fortunately, most well-behaved sites and utilities will let you turn off a new toolbar install. I have to say, though, that having it install by default unless you tell it not to is, in my opinion, at best rude and at worst, downright malicious.

Why is everyone so interested in getting additional toolbars installed in your browser? Because many toolbars collect information about your surfing habits.

Think about it – toolbars sit in your browser and have easy access to everything you might be doing – even the very keystrokes you might be typing. Most are not truly malicious (i.e. they’re not capturing your passwords), but many can report to some third party the sites you visit for more data collection, without relying on cookies to do it.

I have exactly two toolbars installed in Firefox: Roboform and Delicious. On some machines I also have the Google toolbar installed. In each case, those are choices I made for specific functionality I want, and they’re toolbars from folks I trust.

Cloaked Links

This gets back to cookies, and the difference between “first party” and “third party cookies”.

It’s possible to place a link on a website that goes “through” a third party and by doing so, give that third party the ability to place a cookie as if it were a first party. Redirection services link like tinyurl or snipurl let you replace a long URL with a short one. You go to the tinyurl.com address and it immediately and transparently redirects you to the actual destination. This redirection technology is very simple, very common, and fairly powerful.

Let’s look at an example, and exactly how it affects cookies.

https://go.askleo.com/ms

That’s a link, here on askleo.com, that takes you to microsoft.com, but through my redirector on go.askleo.com (go.askleo.com is another of my sites, by the way, so it’s safe in this example).

Let’s look at what happens:

  • You’re on askleo.com, and by virtue of that askleo.com can place first party cookies.
  • You click on that link, https://go.askleo.com/ms, which takes you first to go.askleo.com.
  • Because you visited it directly, go.askleo.com now has “first-party” status. That means that go.askleo.com can place cookies on your machine even if you have your browser set to disable third-party cookies.
  • go.askleo.com uses a tinyurl-like redirector to send you off to microsoft.com without ever displaying a page.

The upshot?go.askleo.com had the opportunity to place a first party cookies, even though you never saw a page on go.askleo.com.

This looks like a number of hoops to jump through, just to place a cookie, and it is.

But it’s a hoop that advertisers are willing to jump through.

When you’re shopping, or even when you’re responding to offers on other websites, you’ll often see that a link you click on for a product or offer doesn’t look like it goes to that product’s page at all. If you look at the link before you click on it, you’ll see that it goes to an advertising provider or other third party.

I have to stress that there are many valid reasons for this to be the case – I do it myself. And I’m not even saying that placing a tracking cookie isn’t a valid reason – though it’s not something I do.

What I am saying is that this is a subtle, yet common, approach to additional data collection – be it through cookie placement for subsequent use, or simply counting the clicks (for example, that link to Microsoft.com used elsewhere on ask-leo.com has been clicked on 155 times this month).

So what’s the real bottom line of what started with a simple question: “What can a website I visit tell about me?”

  • All websites get very basic information that identifies some of your characteristics, but nothing truly or easily personally identifiable.
  • Websites have many ways to remember what you tell them.
  • Advertising networks can track you, but only your visits to sites in their network, or links taken through their services or network.
  • Advertising networks use this data in aggregate – meaning they likely don’t even bother to identify you as an individual.
  • Toolbars and other installed software can provide information to third parties.
  • Malware in the form of spyware and viruses trumps everything: they can see and report anything they want to whomever they want.

Naturally, the paranoid will see this as a big brother situation. And in fact, it’s hard to argue otherwise since with all this potential tracking going on, it’s impossible to prove that it’s not happening.

However, I don’t let it get to me. I know I’m just not that interesting.

I leave third-party cookies enabled, I watch what toolbars I install, and I make sure to keep myself clean of malware.

And I surf and shop quite securely.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

4 comments on “How else can websites get my information?”

  1. Isn’t it strange? AOL, which purports to be an anti spyware and anti spam ISP, uses cookies that track your computer and then sends you advertising you didn’t ask for. (They also ignore your continued complaints about this.)
    To compound spam, they sign your name to any comment you make on one of their pages. It’s pretty easy for a spammer to add “@AOL.com” I should think.
    No wonder they are loosing subscribers.

    Reply
  2. Leo: One thing I’ve noticed looking at cookie files is that they feature your windows login name in the file name itself. Do websites see your windows login name by virtue of their cookies? If so, do they record it or correllate it with other data, such as IP addresses?

    Excellent observation. No they do not. That’s simply the filename used by the browser.

    I believe the username is an artifact of an old approach to identification used by websites that required a particular type of login. If a website required a particular type of login you used to be able to go to http://username@somerandomservice.com/ and be logged in as username (or be prompted for a password). Cookies would then be tracked separately for that username. For sites not requiring authentication I believe this is ignored. This approach is no longer supported in Internet Explorer, as it was being exploited by phishers.

    – Leo
    03-Oct-2008
    Reply
  3. And that’s why I convert all my email to clear text in outlook :)

    Amazing what information can be gathered by putting HTML into email spam…

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.